apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: dexclients.deckhouse.io
  labels:
    heritage: deckhouse
    module: user-authn
spec:
  group: deckhouse.io
  scope: Namespaced
  names:
    plural: dexclients
    singular: dexclient
    kind: DexClient
  preserveUnknownFields: false
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema: &schema
        openAPIV3Schema:
          type: object
          description: |
            Allows applications that support DC authentication to interact with Dex.

            After the `DexClient` object appears in the cluster:
            * Dex will register a client with a `dex-client-<NAME>@<NAMESPACE>` **clientID**, where `<NAME>` and `<NAMESPACE>` are `metadata.name` and `metadata.namespace` of the DexClient object, respectively.
            * A `dex-client-<NAME>` Secret containing the client access password (**clientSecret**) will be created in the corresponding namespace (where `<NAME>` is `metadata.name` of the DexClient object).

            [Usage example...](usage.html#configuring-the-oauth2-client-in-dex-for-connecting-an-application)
          required:
            - spec
          properties:
            spec:
              type: object
              properties:
                allowedGroups:
                  type: array
                  description: |
                    A list of groups whose members are allowed to connect to the client;
                    **By default**, all groups can connect.
                  items:
                    type: string
                redirectURIs:
                  type: array
                  description: 'Array or urls that Dex can redirect to after successful authentication.'
                  items:
                    type: string
                trustedPeers:
                  type: array
                  description: |
                    OAuth2 client IDs that allowed cross authentication with the current client.

                    [Details...](https://developers.google.com/identity/protocols/CrossClientAuth)
                  items:
                    type: string
    - name: v1
      served: true
      storage: false
      schema: *schema
